IPsec packet drop , once the ecmp is enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPsec packet drop , once the ecmp is enabled

L3 Networker

Hi Team 

 

we are facing packet drop issue on ipsec traffic once the ecmp is enabled . 

we have two ISP and wish to balance the traffic and using balanced round robbin for the same , once this is enabled ipsec packet drop occurs and if we disable ecmp everything is fine . 

The first internet line is lease line on which the ipsec is terminated and the other line is ADSL i.e. dynamic IP . 

i am suspecting , since the ecmp is enabled the traffic is going from adsl line and the return traffic is coming on lease line and getting dropped by FW . 

please advise if there is any solution for this senario... if i ebale IP modulo or IP hash for ECMP will this resolve the issue or PBF for symetric return ??

12 REPLIES 12

Cyber Elite
Cyber Elite

hi @Rameshwar

 

how did you configure the vpn exactly? is it bound to a loopback or the physical interfaces

IP modulo/hash should help the connection be 'sticky' to a single link and only switch when the link goes down

PBF will not be an option as you can't control system sourced connections through pbf

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

hi @reaper

 

the ipsec is configured to use the tunnel interface and terminated on the physical interface of 1st IP i.e. the lease line. 

i guess ip modulo\hash should help is resolving this issue ...any more suggestions on this senario

if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

If VPN is bound to IP of first ISP then it should never go over 2nd interface. As you will always receive return packets on first.

 

However if you choose something else of phase 1 identification (or seperate IP for ID and transport IP for phase 1) you can setup tunnel with dynamic IPs.

Hi @santonic

Sorry for th typo ... it is first isp ... the change in the ipsec config will not be the option as this is production fw .

Then this IPSEC traffic must stick to first ISP cause reply will always come over that one.

 

 

Hi @reaper

So what I understand is to add the static route for ipsec traffic as a next hop i.e the router ip of first isp with metric 1......but we already added proxy id that shuld add the route but may be not with metric 1 ... but if i add the route as next hop router ip then the traffic will go to the internet n not through the tunnel or shuld i select tunnel interface while adding the route?

Hi @santonic

I agree but we are using the ecmp balanced round robbin in this i guess fw is sending to adsl line n the return is coming to lease line .. since lease line doesnt know abut it it is dropping .

proxy IDs are routing _inside_ the tunnel, this has no impact whatsoever in regards to the physical route the tunnel takes

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

thank you ..but m kind of confuse here.. when you say...if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)...

the destination is private IP or public ip of remote peer ? ...the next hope will be the ISP router IP of lease line ?

The public IP of the remote vpn peer , pointed to the router of the leased line

This will ensure outgoing vpn connections always go out the ISP1 interface

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for the clarification ...i will try the same and let you know if this helps ...

  • 4563 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!